Assessing EU data protection regulation

This section analyses the EU framework on data protection as it pertains to online personal data processing against the catalogue of criteria for good regulation. In retrospect it considers experiences with the EU regulatory framework on data protection and introduces a forward-looking prognosis regarding the reform proposals.

1) Legitimacy

In light of EU primary law and the new EU competence in Art. 16 TFEU, the legal basis and mandate for EU data protection legislation are not causes for concern. Instead, and as a recurrent feature of EU harmonisation legislation, the concerns centre on the dual aim of EU directives on data protection (see section 2.2.1). As one participant of the Task Force argued, the combined objective to ensure the protection of personal data and the free flow of personal data between member states creates tensions because of apparently clashing philosophies.

However, the data protection Directive itself offers an interpretation that would reconcile the different ends. According to the Directive, member states should not restrict or prohibit in

• Individual policies are not internally contradictory

• Harmonisation of laws in the EU

Thus, in the internal market, cross-border processing of personal data should be enabled as long as personal data are lawfully obtained and processed in compliance with the data protection Directive. What hinders EU-wide data protection appears to be more an issue of the inconsistency of national legal frameworks and their efficient implementation than tensions between the objectives of data protection and the internal market.

2) Accountability

At the EU level, it can be observed that Art. 28(5) of the data protection Directive makes it obligatory for national DPAs to publish a report on their activities at regular intervals. A critique, which is already embedded in the EU regulatory framework and therefore extends to the national level, is that DPAs may have too many different functions. A national DPA is expected to supervise, enforce, guide, advise, approve and advocate and, depending on the particular role assumed, the authority is required to constantly change perspectives. This requirement may undermine the impartiality and arms-length relationship of the institution (Kantor, 2010, para. 106; RAND, 2009, p. 36).

The data protection Directive requires both administrative and judicial remedies for any breach of an individual’s rights under national data protection laws (Arts 22 and 28(4)).

Commonly, the parallelism of regulatory supervision and judicial redress is considered to be a strong accountability mechanism. Ultimately, national courts oversee the decisions of national DPAs, and individuals have the additional possibility to call on national courts for decentralised enforcement of the data protection Regulation. Insofar as democratic accountability of national DPAs and the right to appeal against their decisions are concerned, this has to be taken into account when assessing national data protection regimes.

The accountability of data controllers and processors, however, is a question of regulatory effectiveness, as discussed below.

3) Due process

A regulation adheres to due process requirements if regulatory procedures are sufficiently transparent (e.g. work programme, draft and final decisions are published) and participatory (consultations, right to be heard). The split between EU legislation and member states’

transposition means that local governmental and administrative culture will influence due process in the implementation of the law. Nonetheless, there are issues of due process that can be traced back to the provisions of the EU data protection Directive. On a positive note, this Directive recognises the need for transparency in that it requires DPAs to maintain a public register of processing operations that have been notified to them (Art. 21(2)).

Participation, however, is less pronounced under the present framework, which may for example hamper due process when drawing up private codes of conduct at national and EU level (Art. 27). Also, WP29 does not allow for participation of civil society and business

representatives irrespective of the consideration that DPAs are supposed to make up for power imbalances (Poullet & Guttwirth, 2008, p. 27; RAND, 2009). Attention to the fair representation of the interests of data subjects vis-à-vis data controllers is becoming paramount the more the information-rich economy progresses and the role of private policies increases (e.g. codes of conducts but also standards-setting).

In the preparation of and during the legislative process of the data protection reform, the European Commission launched two public consultations and held targeted consultations with private sector organisations, NGOs and member states. It also convened public events and fora to discuss contemporary challenges to data protection, to introduce and stimulate reform proposals and to gather stakeholders’ feedback. Task Force members participated in these events and CEPS contributed by organising a public panel on data protection reform, adding to the host of events surrounding the international 2013 data protection day, celebrated on January 28^th every year.¹²

4) Expertise

In some regulatory regimes, there is pressure to delegate expertise to specialised agencies (Majone, 2005, p. 135; Gilardi, 2005, p. 102), while in data protection, DPAs were set up as guardians and to institutionalise data protection (FRA, 2010, p. 10). Bundling expertise obviously matters, but requiring too much of it would actually be counterproductive to promote good practices in data protection (see clarity criteria below). However, online personal data-processing practices and analytics advance rapidly and require specific expertise that cuts across statistics, computer and system engineering and IT management.

National DPAs have often been criticised for their lack of technical and IT forensic expertise, which greatly inhibits their ability to monitor compliance and enforce data protection regulation in the context of online data-processing activities (Kantor, 2010, para. 105).

Reflexive governance connotes a learning process that can complement the governance of data protection in the EU, which is arguably a moving target that requires a constant adjustment of regulatory focus. The expertise needed in the context of reflexive governance requires the definition of policy priorities, exercising discretion and anticipating problems, compromise and consensus-seeking that goes beyond the exercise of top-down authority (Poullet & Guttwirth, 2008, p. 27). WP29 exemplifies some aspects of reflexive governance already when setting priorities in the work programme and selecting problematic issues in the protection of personal data that are followed through (e.g. Google’s new privacy policy).

The capacity for reflexive governance of DPAs at the national level varies, with some being less able to effectively set and follow through own priorities and enforcement strategies (European Commission, 2003, pp. 12ff; FRA, 2010, p. 42). Given the ubiquity of data

12 An initiative of the Council of Europe (see

http://www.coe.int/t/dghl/standardsetting/dataprotection/Data_protection_day_en.asp).

processing activities, reflexive governance needs to be strengthened and effected at all levels (Poullet & Guttwirth, 2008, p. 27).

5) Efficiency and effectiveness

This criterion tackles whether the legislative mandate has been implemented efficiently in the member states and whether data protection regulation is effective in practice.¹³ It does not address the costs of compliance, which are taken up below (see section 3.3.5).

 Efficient implementation of the legislative mandate

The implementation of the data protection Directive was reviewed in 2003 and 2007 (European Commission, 2003 and 2007). Both reviews acknowledged progress made with respect to the internal market for personal data, but noted the differences between member states on how the Directive was transposed, applied and enforced. The European Commission could be “more robust in taking action against member states that manifestly do not properly apply the provisions of the directive” (Kantor, 2010, para. 91).

In 2007, the European Commission was satisfied that the Directive ensured a high level of data protection (European Commission, 2007a, p. 9), notwithstanding that most evidence pointed towards deficiencies with compliance and enforcement (see below). Eventually, in 2010 the European Commission concluded that the EU needed a more comprehensive and coherent policy on the fundamental right to personal data protection (European Commission, 2010c), which led to the proposal for a general data protection Regulation in 2012 (European Commission, 2012a).

 Effectiveness in terms of enforcement and compliance

A lack of credible and effective enforcement is one of the weaknesses of the data protection Directive. For example, research that used the number of notifications (pursuant to Art. 18 of the Directive) as indicators for assessing the effectiveness of the Directive regularly concluded that data controllers often do not notify DPAs about automated data processing operations (FRA, 2010, p. 29; European Commission, 2012b, p. 133). This criticism is mainly addressed to national DPAs, which do not adequately monitor and enforce data protection compliance (FRA, 2010, p. 29; Kantor, 2010, para. 104; see also European Parliament, 2011, paras 28 and 44). In addition to the shortcomings identified in relation to expertise and accountability, DPAs’ watchdog function is particularly obstructed because:

- DPAs are under-resourced, both in terms of staff and financial means (FRA, 2010, p. 8;

European Parliament, 2011, para. 28; Rand, 2009, p. 35);

13 Implementation consists of the practical steps taken by national authorities to give effect to, here, the EU regulatory framework on data protection; compliance consists of the actions undertaken by public and private parties to abide by an EU act; and finally enforcement is the process of ensuring compliance, through monitoring and prosecuting (Nicolaides, 1999, p. 5).

- Member states emphasise ‘soft’ methods to promote compliance with data protection legislation over ‘hard’ instruments that would enforce and sanction non-compliance more rigorously (FRA, 2010, p. 8);

- Sanctions are ‘mosquito bites’ – to quote one of the contributors to the Task Force; in particular the maximum amount of pecuniary fines is insignificant compared to the revenues of large data controllers (FRA, 2010, p. 6); and

- Cross-border cooperation and enforcement action among DPAs is lacking or insufficient (European Commission, 2012b, Annex 10).

Individual legal remedies before courts, albeit in place in all member states, are rarely resorted to (Korff, 2010, p. 98). Possible explanations of this lack of private enforcement action may be:

- Damages to the individual may not occur immediately after the violation of privacy obligations;

- Damages may be difficult to quantify; or

- Individual damages are too small to compensate for the cost of legal action (Rand, 2009, p. 35).

Effective enforcement is even more under strain in the context of online data processing because:

- Probation of violations and damages is more difficult;

- The cross-border extent of data practices is the rule rather than the exception; and

- Cross-border enforcement of legal rights before the court is more cumbersome and costly (European Parliament, 2011, para. 5; Rand, 2009, p. 41).

Consequently, the European Commission’s proposal for a general data protection Regulation clarifies enforcement mechanisms, introduces higher sanctions and new consistency mechanisms as well as other means of compliance, such as the appointment of Data Protection Officers (DPOs) by controllers (European Commission, 2012a).

6) Coherence

Since the EU data protection framework pertaining to online personal data processing is a combination of different instruments (i.e. data protection Directive, e-privacy Directive as amended by the data retention Directive) as transposed into 27 member states national laws, overall consistency is known to be a major challenge. EU policy-makers, practitioners and pundits agree that the level of harmonisation achieved in data protection is not sufficient, and that national variations in terms of implementation, interpretation and enforcement considerably hamper the internal market for legitimate personal data processing (see in

particular European Commission, 2012b, p. 11; TrapleKonarskiPodrecki and Partners and European Legal Studies Institute, 2012 p. 42; Kantor, 2010, paras. 45ff.).

One of the central motivations for the EU data protection reform is to establish a uniform general data protection Regulation (European Commission, 2012a and b). The European Parliament (2011) in its resolution of 6 July 2011 on a comprehensive approach on personal data protection in the European Union agrees that full harmonisation is the way forward while maintaining the level of data protection that the EU data protection Directive of 1995 already provides.

7) Clarity

A regulation which applies horizontally for all types of automated or systematic processing of personal data in the public and the private sector should gear for legal certainty¹⁴ and clarity.

By way of analogy, Task Force participants invoked public traffic rules, which would fail its primary objective to organise public traffic and protect all participants in it if the system of rules is too complex. Likewise, data protection regulation is bound to pervade all aspects of public and private organisations’ activities vis-à-vis individuals whose personal data are protected subject matter. For its own sake, data protection should embrace simplicity because it is a driver of compliance.

The envisaged Regulation that would bring about one single set of data protection rules in Europe is an important step in the right direction because it consolidates 27 member states’

jurisdictions. However, because the new Regulation would be directly effective, the legal document has to engender policy acceptance directly flowing from its text. Conversely, most Task Force participants would concur that the reform proposal is astonishingly complex and, aside from any substantial critique, is capable of being implemented by larger organisations, but may fail to gain recognition by small to medium-sized enterprises (SMEs) and individual data processors. This claim for simplification is not about deregulation: one can have very simple yet strict rules.¹⁵

8) Flexibility

Ultimately, in order to keep pace with technical and economic developments, EU data protection regulation should maintain the principles of technological and business-model neutrality (Traple Konarski Podrecki and European Legal Studies Institute, 2012; RAND, 2009, p. 24). Although neutrality is a guiding principle of the 1995 Directive, dramatic changes in data processing practices in scale, scope and magnitude rendered modernisation

14 In the EU judicial system, legal certainty is based on the concept of legal predictability.

15 Reducing legal complexity would sometimes require a decision whether a rule should be stricter or more relaxed and whether and how to introduce derogations. What matters most is to take the perspective of those who will be applying the regulation in question.

necessary. The Regulation must be capable of internalising pending technological paradigm shifts, such as cloud computing, and be sufficiently flexible to apply to new data-driven business models, e.g. big data.

To sum up the assessment, EU data protection regulation is performing reasonably well against criterion #1 (legitimacy). There is scope for improvement regarding #2 (accountability) with respect to the omnibus role of DPAs, #3 (due process) with respect to participatory processes and #4 (expertise) with respect to DPAs’ capacity for reflexive governance, while #6 (coherence) is being taken up in the data protection reform. Major deficiencies show in two criteria, i.e. #5 (efficiency of the regulation) in terms of compliance and enforcement and #7 (clarity), in terms of the normative framework. The regulation appears to internalise criterion #8 (flexibility), but practical applications are lacking, which could be a topic for an EU research and innovation priority.